vim /usr/lib/systemd/system/docker.service
//无证书 不安全
ExecStart=/usr/bin/dockerd的后面加上 -H tcp://0.0.0.0:7327 -H unix:///var/run/docker.sock
//有证书
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/DockerServiceCA/ca.pem --tlscert=/DockerServiceCA/server-cert.pem --tlskey=/DockerServiceCA/server-key.pem -H tcp://0.0.0.0:7327 -H unix:///var/run/docker.sock
#创建ca-key.pem,需要输入密码,后面会用到
openssl genrsa -aes256 -out ca-key.pem 2048
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 2048
#修改`$HOST`,建议设置为本机IP地址。
openssl req -subj "/CN=$HOST" -new -key server-key.pem -out server.csr
#修改IP地址,`$HOST`,为本机IP地址。
echo subjectAltName = IP:$HOST,IP:0.0.0.0 > extfile.cnf
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 2048
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
#删除下面两个文件
rm -v client.csr server.csr
#修改权限
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
#重启docker
systemctl daemon-reload
systemctl start docker
评论